Question 1

Is tini still necessary with Docker's --init flag?

Accepted Answer

Yes, because Docker's --init is optional and not supported in all container runtimes like Kubernetes. Tini ensures consistent signal handling and zombie process prevention across different environments, as noted in the README.

Question 2

How to pin Docker images for both security and reproducibility?

Accepted Answer

Use major.minor tags to automatically get security updates, and consider tools like docker-lock to track SHAs for reproducibility. This balances updates without manual intervention, as recommended in the template's FAQ.

Question 3

What's better for Docker: major.minor or SHA pinning?

Accepted Answer

Major.minor tags provide security updates but can break builds, while SHA pinning ensures reproducibility but requires manual updates. The template favors major.minor for average developers, but large teams might prefer SHA with automated scanning.

Question 4

How to handle file permissions with static UID in Docker?

Accepted Answer

Use chown on the host with the static UID/GID (e.g., 10000:10001) from the template to match the container's user. This ensures consistent file access across container runs without extracting UIDs dynamically.

Question 5

Can I use this template with Ubuntu base images?

Accepted Answer

Yes, but you may need to adapt it, such as replacing Alpine-specific bind-tools with equivalent packages like dnsutils. The core practices like non-root users and tini still apply, but setup commands vary.

Question 6

How to customize the non-root user UID in this Dockerfile?

Accepted Answer

Modify the USER and groupadd commands in the template to use different UID/GID values, ensuring they stay above 10,000 for security. Follow the comments in the Dockerfile for guidance on adjustments.

Dockerfile best practices

What is Dockerfile best practices?

Overview

Use Cases

Best For

Found a gem we're missing?

Not Ideal For

Pros & Cons

Pros

Cons

Frequently Asked Questions